Monday, July 27, 2009

More than 9 out of every 10 Windows users are vulnerable to the Flash zero day vulnerability that Adobe won't patch until Thursday, a Danish security company said today.

The most current versions of Flash Player,9.0.159.0 and 10.0.22.87 are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate but compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash.

Adobe has acknowledged that Flash, Reader and Acrobat contain a critical bug. Last Wednesday, it kicked its security process into high gear, promising it would deliver patches for Flash by July 30, and fixes for Reader and Acrobat by July 31.

PSI scans Windows systems for installed applications, then compares their version numbers to the most up-to-date editions; if they're different, it makes note, then provides a link to the patch update. "[A] PC user with vulnerabilities in his installed software, is like a house owner with open or unlocked doors," said Mikkel Winther, the manager of Secunia's PSI partner program, in an e-mail. "Maybe nobody will rob his house or compromise his system, but it is indeed possible and he hasn't secured himself against it."